IT Security Risks in the Office

Lack of Employee Education Causes Increased Security Threats

Sep 8, 2009

Computer viruses and malicious software that are installed on company computers can cost businesses thousands of dollars.

Most businesses recognize the importance of network security and security threats. Everyday IT personnel put in place appropriate security measures to reduce the risk of cyber attacks and virus outbreaks. However, one aspect of IT security that is largely overlooked is employee education. In most typical organizations, employees are able to make IT security decisions such as installing software or software add-ins with very little understanding of security risks.

Internet users often are unaware of the potential risks and consequences of their actions. Using social engineering, individuals with malicious intent can easily lure naïve users into clicking links, visiting websites or installing malicious software. By educating employees about computer security risks and threats, a business can heighten their security posture, even if just a little.

Most Destructive Viruses

In 2000, according to the article “The 10 Most Destructive PC Viruses of All Time”, published in Information Week, (Jones, 2006), the ‘I love you’ virus caused an estimated $10-15 billion in damage. “The bug was transmitted via e-mail with the subject line "ILOVEYOU" and an attachment, Love-Letter-For-You.TXT.vbs” (2006). The intrigue of reading a love letter lured so many people into executing a malicious program on their computer. Once executed, the e-mail was then sent out to everyone in their contact list.

On Friday, March 26, 1999, W97M/Melissa became front-page news across the globe. Estimates have indicated that this Word macro script infected 15 to 20 percent of all business PCs. The virus spread so rapidly that Intel (NSDQ: INTC), Microsoft (NSDQ:MSFT), and a number of other companies that used Outlook were forced to shut down their entire e-mail systems in order to contain the damage” (Jones, 2006). Melissa caused an estimated $300 to 600 million in damages.

While such widespread viruses like “I love you” and “Melissa”, are not as prevalent today as in the past, plenty of destructive malware is unknowingly installed on corporate computers everyday. Key loggers, root kits and adware are all installed on business machines and can compromise both corporate and personal data on business computers. The fact is, as one method of attack is mitigated, many others are developed.

Employee Education is Important in Mitigating Security Risks

Most employees do not intend to engage in any activity that would cause the installation of malicious software on their computer or on their network. Typically, individuals are not even aware that their computer has been compromised and may wait days to report annoying computer problems. If employees have more than a rudimentary understanding of the security risks involved with clicking on unfamiliar links and installing software, the rate of IT security breaches in businesses would most certainly decrease.

Computer viruses and malicious software that are installed on company computers can cost businesses thousands of dollars. Consider the lost revenue from lack of productivity, costs associated with computer repair and the risk of losing important corporate data. When corporate security is compromised the associated negative publicity could also have a debilitating affect.

Ideas for Educating Employees about Computer Security

Educating employees on a regular basis about the risks involved with clicking on a link or opening a file could save businesses time and money. Here are some ideas for employee education:

Computer security issues will not be going away anytime soon. Enlisting the forces of internal personnel to help with security is critical. While education is just a small part of mitigating computer security threats, it is certainly worth the time to train employees.

The copyright of the article IT Security Risks in the Office in Security/Antivirus Software is owned by Lucia Jenkins. Permission to republish IT Security Risks in the Office in print or online must be granted by the author in writing.